Mobile IPSEC Radius IP Assigment



  • Is it possible to have radius give out IPs for users connecting via mobile IPSEC?  I have the authentication part working, but it seems no matter what settings we try pfsense does not give the assigned ip address to the user. This is with StrongSwan. 2.2.4.

    I am using IAS for Radius, just wondering if anyone got this working.



  • Is it possible to have radius give out IPs for users connecting via mobile IPSEC?

    In normal the VPN device is giving the new IP addresses to the IPSec clients and then the Radius
    Server is authenticating the VPN clients over the certificates.

    I have the authentication part working,

    Ok this would be the hardest part as I see it right. If this is working it is only a
    smaller tut for you to read and then you will be have it up and running well.

    but it seems no matter what settings we try pfsense does not give the assigned ip address to the user.

    Pleas see under the Link how to solve this out and enrich this by setting up the Radius Server address
    in the IPSec settings! Please read this tutorial


  • Rebel Alliance Developer Netgate

    @djamp42:

    Is it possible to have radius give out IPs for users connecting via mobile IPSEC?

    Not currently.



  • It is possible but not via GUI and this option get lost on restart ipsec over GUI (```
    ipsec reload

    
    With this entry it works
    

    rightsourceip=%radius

    
    So maybe someone can add this option to the GUI:
    
    VPN: IPsec: Mobile
    ->Virtual Address Pool as add point
    
    best regards


  • Hi
    i patched my/etc/inc/ipsec.incthat if in Phase1 Auth.  method is EAP-RADIUS and in Mobile clients setting virtual address pool is not checked add ```
    rightsourceip=%radius

    
    For me it works now with a Android + strongSwan APP (IKEv2 EAP) and it  gets the ip from freeradius
    
    best regards
    
    [vpn.inc.zip](/public/_imported_attachments_/1/vpn.inc.zip)

  • Rebel Alliance Developer Netgate

    Can you post that as a text diff, rather than a .zip? I'd like to try it but I'd rather not replace the entire file.



  • This is an interesting patch - I would also be interested in the diff!



  • @MaxHeadroom:

    gets the ip from freeradius

    While I'm thinking about it - with this patch, are you defining IP addresses for already existing (on pfSense) networks? Only reason I ask is that you are turning off the virtual network option.



  • Hi,

    sorry for the delay, here is the Patch for IP getting from the radius and no they are not already existing networks on the pfsense. It only that the radius server submit the ip .

    I also have a second Patch same like first patch + change from IKEv2 EAP to IKV2 Certificate +EAP just add rightauth2 and change a little bit  for the generate of```
    /var/etc/ipsec/ipsec.conf

    
    I havn't changed the selectable name on the Gui, maybe it is better to add another option ? (better someone who is already knowing how this stuff works can do this )
    
    With both patches the IPSec tunnel is working with  IPSec Freeswan on Android very well.
    For security reason i like certs also on client  8) 
    
    Oh sorry i forgott to say: you have to unset **virtual address pool** for the static  ip from radius (Don't forget to set a user ip on the radiusserver!)
    
    BR
    markus
    
    [vpn.inc.patch.zip](/public/_imported_attachments_/1/vpn.inc.patch.zip)
    [vpn.inc.patch2.zip](/public/_imported_attachments_/1/vpn.inc.patch2.zip)

  • Rebel Alliance Developer Netgate

    The second thing would definitely needs its own, separate GUI choice since it isn't compatible with the current eap-radius selection.

    The IP address pulling bit works OK, though I was disappointed to find that it doesn't look like strongSwan has a way to fall back to a local pool if there is no IP address in RADIUS. There is a way to specify multiple items in rightsourceip but it ends up using both at all times, not one then the other. For example if I use "%radius,x.x.x.0/24" it gives an address to the user from both RADIUS and the local pool.

    I committed a variation of the IP address part here:
    https://github.com/pfsense/pfsense/commit/86330e2b9ba85930a15a2cbd5ef7e7c3d0b3f814

    The only negative side effect is that it would not allow someone to configure eap-radius and omit the pool entirely (hardcode IP addresses on the client) – I can't imagine anyone wanting to do that, but maybe someone does. Might still need a GUI checkbox.



  • Sorry for the slow reply - running this patch on my home box and it works brilliantly, so thanks!

    Out of interest, is this something that is likely to end up in the release, further down the road?


  • Rebel Alliance Developer Netgate

    It's already in for 2.2.5 so it will be in a release shortly.



  • Great stuff! :D



  • Hi

    I managed to make it also work with Mutual RSA and Xauth. Strongswan has support for xauth-radius

    replace line

    $rightsourceip = "\trightsourceip = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n";
    

    with

    $rightsourceip = "\trightsourceip = %radius\n";
    

    and

    $authentication .= "\n\trightauth2 = xauth-generic";
    

    with

    $authentication .= "\n\trightauth2 = xauth-radius";
    

Log in to reply